Blog

Recent ransomware attacks in the retail industry | Blog

Written by IRONSCALES | Aug 20, 2021

Ransomware attacks pose serious cybersecurity risks for retailers. If an attack manages to disrupt customer-facing operations during peak business periods, it could have a disastrous effect on a retailer’s bottom line. This article looks at the state of ransomware in the retail industry by focusing on recent attacks and the lessons retailers can learn from them.

Notable Ransomware Attacks That Hit Retailers

Here is a brief run-through of five notable ransomware attacks on retailers within the last couple of years.

The Works: April 2022

UK-based retailer The Works was the victim of a successful ransomware attack.  Reports indicate that the company had to shut down all 526 of its stores initially while its IT team investigated the impact of the attack but fortunately was able to open all but five stores within days of the attack.  To date, there has been no ransom demanded of the company, but the software used in the attack is known to be a weapon of ransomware gangs. The company reported that no credit card data was stolen, as these payments are processed by an external third-party vendor.

Moncler: January 2022

Italian luxury fashion designer brand Moncler reported that it had been the victim of a successful ransomware attack.  Reports after the attack said that it was the ransomware group Black Cat who attacked the company. The attackers demanded payment of $3 million and threatened that they would post sensitive company details on the dark web if not paid. Montcler refused to pay the ransom, so Black Cat posted a series of documents related the the company's finances and customer base.  

Coop Grocery Store: June 2021

Coop is a Swedish chain of supermarkets that became one of the worst impacted companies from the Kaseya ransomware attack in July 2021. Affecting over 1,500 organizations around the world, the Kaseya attack exploited vulnerabilities in Kaseya VSA, which is an endpoint management application used by managed service providers.

The threat actors involved in this attack was the REvil ransomware group, which claims to make annual revenue of $100 million through its malicious cyber activities. Coop had to close over 800 of its stores because the Kaseya attack directly impacted its cash registers. The ransomware propagated to Coop’s payment systems Visma, which is a Swedish MSP that manages payment systems for the supermarket chain.

Dairy Farm Group: January 2021

In January 2021, ransomware struck one of Asia’s largest retailers, the Dairy Farm Group. Once again, REvil instigated the attack and demanded a whopping $30 million ransom payment. It appears this was a double extortion attack in which the attackers demanded a higher ransom payment for the victim to decrypt compromised IT assets and avoid having exfiltrated data posted on the dark web.

The severity of this incident was such that the threat actors managed to take full control of the company’s email system. Losing access to email is a nightmare scenario because it’s much harder to communicate with employees about an in-progress cyber incident and instruct them on which actions to take that will help deal with the incident.

Whirlpool: December 2020

Whirlpool is a multinational home appliances provider that became the victim of a ransomware attack in the first weekend of December 2020. The Nefilim ransomware gang typically focuses its attacks on large companies using double extortion methods.

A ransom note left on Whirlpool’s computers said, “we have encrypted your files with military-grade algorithms. If you don’t have extensive backups, the only way to retrieve your files is with our software.” Whirlpool managed to detect and contain the incident swiftly, which meant no noticeable operational impact. Nefilim published some data on the dark web obtained from Whirlpool’s network, including inventory spreadsheets, work charts, plant audit details.

E-Land: November 2020

In November 2020, the South Korean retail giant E-Land had to close 23 of its retail outlets in response to a ransomware incident. The Clop gang carried out the attack on E-Land whose CEO claimed at the time that sensitive customer data was safe. The network was disrupted, which impacted the ability to carry out in-store operations at some retail outlets.

However, a media interview with the Clop gang revealed that this ransomware attack was more damaging than first disclosed. According to Clop operators, they had breached the E-Land network well over 12 months prior. The result was to install POS malware and obtain the credit card details of over 2 million customers. After exfiltrating this potentially valuable data, the gang then installed ransomware that locked important files and systems.

Travelex: December 2019

In December 2019, the foreign exchange services retailer Travelex fell victim to a serious ransomware attack that ultimately led to the company’s bankruptcy and the loss of 1,300 jobs. The attack, instigated by REvil, forced the shutdown of the company’s website and disrupted operations at brick-and-mortar outlets for over two weeks.

The incident occurred when threat actors breached the network by exploiting unpatched vulnerabilities in VPN servers used by Travelex. Some customers were left stranded in foreign locations without local currency as a result of the disruptions. Ultimately, the level of desperation to get their systems back resulted in the decision to pay a $2.3 million ransom.

Lessons Learned for Retailers

Based on the above ransomware incidents, there are several takeaways for retailers that help to understand the risks they face and put in place defenses to mitigate those risks.

Software Supply Chain Risks

The Kaseya incident highlighted the often-underplayed risks that can stem from a retailer’s software supply chain. Retailers run complex operations, relying on many different software vendors to provide customer-facing and back-store functionalities. It’s important to have visibility into all aspects of the software supply chain and react quickly after a compromise.

Business Continuity Strategies

While the Whirlpool incident resulted in some data theft, an efficient incident response (IR) strategy meant no operational disruptions. Retailers should have business continuity strategies in place, which include disaster recovery, the ability to restore email, and effective incident response teams who can contain an attack before it locks down the entire network.

Advanced Endpoint Security

The E-land attack showed that legacy signature-based endpoint security solutions aren’t enough to detect cyber attacks. The Clop gang breached E-Land’s network and probed it undetected for up to 12 months. Advanced endpoint security solutions use AI-driven features to detect suspicious endpoint behavior that can indicate an attack.

Unpatched Vulnerabilities

The Travelex attack was particularly surprising due to the basic cybersecurity flaws exposed. A security patch for the VPN vulnerability was available months before the incident occurred, but Travelex failed to apply the patch on time. Automated patch management is one of the quickest wins for any company—not just retailers—in avoiding data breaches.

Wrapping Up

Retailers will continue to be targets of ransomware attacks over the coming years. Learning useful lessons from other incidents is one way to stay ahead of attackers. Another important strategy for combating ransomware is defending against phishing. Many ransomware attacks start with a convincing email sent to employees that persuade them to click malicious links or download files.

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today.

This blog was updated in June 2022